Skills
skills/lingengyuan/my-skills/note-creator/Gen Agent Trust Hub

note-creator

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection Surface.
  • Ingestion points: The skill ingests user_prompt and optional_context_files as primary inputs in SKILL.md.
  • Boundary markers: No explicit delimiter or 'ignore embedded instructions' markers are defined when passing these inputs to downstream skills like obsidian-markdown or json-canvas.
  • Capability inventory: The skill has Write, Edit, and Bash(mkdir:*, echo:*, cat:*) tools enabled, allowing it to modify the local file system.
  • Sanitization: While filename sanitization exists in rules/naming.rules.md, the content of the generated notes and diagrams is derived from untrusted user input without sanitization.
  • Risk: An attacker could provide a prompt that causes the downstream generation skills to output malicious content or attempt to escape their own constraints.
  • [COMMAND_EXECUTION] (MEDIUM): Parameterized Shell Command Risks.
  • Evidence: The skill uses Bash(mkdir:*, echo:*, cat:*) to manage directories and files (documented in SKILL.md).
  • Sanitization: rules/naming.rules.md specifies removing [ / \ : * ? " < > | ] from titles. However, it does not explicitly filter other shell-sensitive characters like backticks (`), dollar signs ($), or semicolons (;).
  • Risk: If the underlying tool implementation does not properly escape these characters, a malicious title could potentially lead to command injection during the mkdir or echo operations.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 08:19 AM